Vidar

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Type
Trojan
Origin
ex-USSR
First seen
1 December, 2018
Last seen
30 September, 2020
Also known as
Arkei
Global rank
20
Week rank
12
Month rank
14
IOCs
6271

What is Vidar / Arkei malware?

Vidar is an information stealer Trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected machines, take screenshots, steal cryptocurrency and more.

General description of Vidar

Vidar is presumed to have originated in a Russian speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another malware that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

Vidar is written in C++ programming language. Purchasing account grants the attacker access to a control panel where the malware can be set up by the cybercriminal to target particular information on the victims’ PC. Similarly to Arkei, Cybercriminals need to take precautions to secure the main payload themselves, using a cryptor or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that domain names which Vidar uses to search for C&C servers, where stolen data is being dropped to, change every four days.

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information including banking and credit card details. In addition, the malware can search for cryptocurrency wallet information, take screenshots and record private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar malware analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar.

arkei execution process graph

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

After the user downloads and runs a malicious file it spawns a child process and starts to collect information from the infected device. Often, after the information was collected the malware kills and deletes itself through a command-line command.

How to avoid infection by Vidar?

When spread via spam email campaigns, Vidar stealer requires the user to download and run a malicious file in order to enter an active state and begin execution. Therefore, following some basic online safety rules can ensure that users will stay safe from this malware.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar which uses these attack vectors to infect victims.

The distribution process of Vidar

Like other malware, Vidar / Arkei is distributed through spam email campaigns as a malicious attachment. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar targets users all over the world with the exception of some ex-USSR countries, including Russia.

How to detect Vidar / Arkei using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Arkei trojan using ANY.RUN's "Static Discovering". Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

arkei vidar log file Figure 3: Arkei's log file

Conclusion

Vidar / Arkei is a highly dangerous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including steal select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures.

IOCs

IP addresses
88.99.66.31
204.11.56.48
208.95.112.1
18.205.93.1
198.98.57.54
18.205.93.0
199.59.242.150
89.45.67.160
141.8.192.151
18.205.93.2
188.241.39.10
199.195.250.165
143.204.215.24
116.202.242.166
143.204.215.24
169.239.129.117
206.123.158.142
208.95.112.1
92.119.113.254
192.99.1.185
Hashes
c6635a2d5fba85d1d0b6a40e0a377cc54418f357f284bd1342aca0d41f2a7dc2
400acf504079ad78b81a66935f827fe5e4667a5f8d8f1dc58e80dc2171ee89cf
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3
c6abd95cd1757386348a99e955f5a4bed9f3ed13cc08d1aa2cc069dfca0611cf
99fae1fe1739052540a8a99cb4377fb9c0a575a3b880d96940f6c06b12d50edf
66b245839ea50f213bf3c9f711ee4f2bf6c9a284ef5c90e1af4687b98d3884d2
aba9f9d6904d1474f7a0693e80d182eff9cb8a1c185f0090876cf8eb83914cbb
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1
113d1daf082b4b05958d1c8142c2184c759979af48404362310950fbe9a2e16c
4d47791970c9e4b829ef0cc0049eecdfae3655f87a1e79620bbcc39eb8c21c8b
61c68a78dbf0b59071a51a26d758afea888aba7871d1219750dd9178d0495851
f1f45014743cac425404602576dc0fcbc1dcd475d12ac8968b81f1e52e6c6651
b2a09c9456f92b831da77a7ab8f7a1f72d3cb9d4e238575f222fa0ca4f5c6a9c
74465e9ad0ef9a1cce5f2e7485c20cb2f7d15cee1f224ac8629f68656febb39e
0ed804428ecb0ee5fa3a1d044cdc33468fe5c94deb3308f49b64b668bff9f4d1
abee76290e3676225284ab7b2543eecb66b3f97c5a10160b4f81843ad70e070a
2c9538aaf6058783ac6e7c6676769ba3904a584b0bbc8c475852b11096c3c368
a8ca93adc4384dc66b6c8c6034ae5942d29d0aa5291f35d4b80189413d64f76c
3a8d5d497ac9245d3265ccc003284e9bb1495d421249fffa1695687402e6093a
0ad129705597bc856559a66ce0ceff713dd2462bf2ba90a6b5800230ccd59ba1
Domains
grlawcc.com
onzcda.com
89gospel.com
2no.co
myleftheart.com
musk-giveaway.com
xoso.thememanga.com
bedsbreath.com
bookstower.com
majul.com
www.proxyocean.com
penweb01.jabill.com
bulkbacklinks.com
www.tiltmediaproductions.com
homearcadegames.com
www.fuelarcade.com
www.homearcadegames.com
bodymindchallenger.com
www.hotgiftzone.com
online-sale24.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More